Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Alex
v1.0.0Conducts verified, up-to-date research on industry trends, news, competitors, and market opportunities with cited sources and structured summaries.
⭐ 0· 50·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (deep research, news, competitors, cited sources) aligns with the SKILL.md instructions to search the web, provide ≥5 results, and cite sources. There are no unrelated required binaries, env vars, or config paths.
Instruction Scope
Instructions stay within research scope (always search web, use web_search tool, cite links, structured output). The file contains a 'System Prompt' block (prompt-style instructions) and a directive to 'Respond with your evaluation as a single JSON object' which is a formatting requirement — expected for skill prompts but flagged by the scanner as a system-prompt-override pattern. The instructions do not ask to read local files, environment variables, or send data to unexpected endpoints.
Install Mechanism
No install specification or code files — instruction-only skill. This minimal footprint reduces risk; nothing will be written to disk or fetched at install time.
Credentials
No environment variables, credentials, or config paths are requested. This is proportionate for a web-research skill that uses an external web_search tool provided by the agent platform.
Persistence & Privilege
always is false and the skill does not request any elevated or persistent privileges. Autonomous invocation is allowed (platform default) but not combined with other concerning permissions.
Scan Findings in Context
[system-prompt-override] expected: The SKILL.md contains an explicit system-style prompt block to steer the skill's behavior — this is common for instruction-only skills. It is a prompt-injection pattern flagged by the scanner but appears intended to define the skill's role. Operators should ensure the platform applies it only as skill instructions (not as a privileged global system prompt).
Assessment
This skill appears to be what it says: a research assistant that must use the agent's web_search tool and return cited results. Before installing, confirm: (1) the 'web_search' tool the agent will use is trusted and doesn't leak local files or secrets when performing queries; (2) the platform treats the SKILL.md prompt as skill-scoped instructions (not a global system prompt); and (3) you won't be asked later to grant extra credentials or tools (e.g., browser automation, proxies) that the skill's description does not mention. If you rely on private or sensitive data, avoid allowing the skill to run autonomously until you verify its network/tooling behavior.SKILL.md:3
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk971fxhpjfmj3ycm46pd1kb8n583tqd1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.